locked
IP Block List not working Exchange 2016 RRS feed

  • Question

  •   The IP Block List does not appear to be working on incoming mail on our Exchange 2016 CU9 server and after checking the message header on an incoming email I noticed that the header looks a lot different than our exchange 2007 server did. I am not sure if this is an indication of something not being setup correctly or not. I have seen another post mentioning NAT firewall causing a problem with IP Blocking, but nothing but the server has changed since upgrading the server from Windows Server 2003 and Exchange 2007 to Windows Server 2016 and Exchange 2016. This is what the "Received from" section of an email we received on our Exchange 2016 server looks like. 

    Received: from OurServer.OurDomain.com (Our IP Address) by OurServer.OurDomain.com
     (Our IP Address) with Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3 via Mailbox
     Transport; Fri, 6 Apr 2018 11:51:56 -0700
    Received: from OurServer.OurDomain.com (Our IP Address) by OurServer.OurDomain.com
     (Our IP Address) with Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Fri, 6 Apr 2018
     11:51:07 -0700
    Received: from SendingServer.SendingDomain.com (Sending IP Address) by OurServer.OurDomain.com
     (Our IP Address) with Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3 via Frontend
     Transport; Fri, 6 Apr 2018 11:51:07 -0700
    Received: from SendingServer.SendingDomain.com (Sending IP Address) by
     SendingServer.SendingDomain.com (Sending IP Address) with Microsoft SMTP Server
     (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
     15.1.1415.2; Fri, 6 Apr 2018 11:50:18 -0700
    Received: from SendingServer.SendingDomain.com ([::1]) by SendingServer.SendingDomain.com
     ([::1]) with mapi id 15.01.1415.002; Fri, 6 Apr 2018 11:50:18 -0700

     Our 2007 Exchange server message header would only list the sending domain info and not ours.

     Then block for sending domain seems to be working fine, but just not the IP address blocking.

     Here are the results from Get-IPBlockListConfig

    [PS] C:\Users\Administrator\Desktop>Get-IPBlockListConfig


    RunspaceId                    : 3564aa23-ef4b-4088-98b0-bdee00677433
    Name                          : IPBlockListConfig
    MachineEntryRejectionResponse : External client with IP address {0} does not have permissions to submit to this
                                    server. Visit http://support.microsoft.com/kb/928123 for more information.
    StaticEntryRejectionResponse  : External client with IP address {0} does not have permissions to submit to this server.
    Enabled                       : True
    ExternalMailEnabled           : True
    InternalMailEnabled           : False
    AdminDisplayName              :
    ExchangeVersion               : 0.1 (8.0.535.0)
    DistinguishedName             : CN=IPBlockListConfig,CN=Message Hygiene,CN=Transport Settings,CN=First
                                    Organization,CN=Microsoft
                                    Exchange,CN=Services,CN=Configuration,DC=OurDomain,DC=com
    Identity                      : IPBlockListConfig
    Guid                          : 78f80d87-e701-4bf1-b7b0-176f3a2f86a6
    ObjectCategory                : OurDomain.com/Configuration/Schema/ms-Exch-Message-Hygiene-IP-Block-List-Config
    ObjectClass                   : {top, msExchAgent, msExchMessageHygieneIPBlockListConfig}
    WhenChanged                   : 1/6/2018 7:01:27 PM
    WhenCreated                   : 1/6/2018 7:01:27 PM
    WhenChangedUTC                : 1/7/2018 3:01:27 AM
    WhenCreatedUTC                : 1/7/2018 3:01:27 AM
    OrganizationId                :
    Id                            : IPBlockListConfig
    OriginatingServer             : OurServer.OurDomain.com
    IsValid                       : True
    ObjectState                   : Unchanged

     Any help would be very much appreciated. 

    Tuesday, April 10, 2018 5:11 AM

Answers

  • Hi,

    Based on your description, I know that you are getting the issue that IP block list is not working in Exchange 2016 CU9.

    As far as I know, the IP block list feature is enabled by the Connection Filtering Agent. The Connection Filtering Agent feature is installed in Edge server by default, however it is not installed by default when Exchange Anti-Spam is enabled on a Mailbox server.

    To use the IP block list feature in a mailbox server, follow steps below:

    1. Manually install the Connection Filtering Agent:

    Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"


    2. Enable the Connection Filtering:

    Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"

    3. Restart the Microsoft Exchange FrontEnd Transport service.

    Hope it helps.

    ===============

    Updates: 

    The only way to enable the Connection Filtering agent is to install an Edge Transport server in the perimeter network. So the above method will not work in Exchange 2016 server.

    Regards, 

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to shareexplore and talk to experts about Microsoft Teams.

    • Proposed as answer by Manu Meng Thursday, April 12, 2018 4:02 PM
    • Marked as answer by OSExterminator Thursday, April 19, 2018 12:58 AM
    • Edited by Manu Meng Wednesday, November 28, 2018 5:58 AM Add a update
    Wednesday, April 11, 2018 7:11 AM

All replies

  • Hi,

    Based on your description, I know that you are getting the issue that IP block list is not working in Exchange 2016 CU9.

    As far as I know, the IP block list feature is enabled by the Connection Filtering Agent. The Connection Filtering Agent feature is installed in Edge server by default, however it is not installed by default when Exchange Anti-Spam is enabled on a Mailbox server.

    To use the IP block list feature in a mailbox server, follow steps below:

    1. Manually install the Connection Filtering Agent:

    Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"


    2. Enable the Connection Filtering:

    Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"

    3. Restart the Microsoft Exchange FrontEnd Transport service.

    Hope it helps.

    ===============

    Updates: 

    The only way to enable the Connection Filtering agent is to install an Edge Transport server in the perimeter network. So the above method will not work in Exchange 2016 server.

    Regards, 

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to shareexplore and talk to experts about Microsoft Teams.

    • Proposed as answer by Manu Meng Thursday, April 12, 2018 4:02 PM
    • Marked as answer by OSExterminator Thursday, April 19, 2018 12:58 AM
    • Edited by Manu Meng Wednesday, November 28, 2018 5:58 AM Add a update
    Wednesday, April 11, 2018 7:11 AM
  •  Thank you so much for your response Manu. We were under the impression that Microsoft did not support connection filtering on Exchange 2016 Hub transport servers any more. It appears you have to have a edge transport server on the parameter now in order to use the connection filtering.

     "In Exchange 2010, when you enabled the anti-spam agents on a Hub Transport server, the Attachment Filter agent was the only anti-spam agent that wasn't available. In Exchange 2016, when you enable the anti-spam agents on a Mailbox server, the Attachment Filter agent and the Connection Filtering agent aren't available."

    https://technet.microsoft.com/en-us/library/jj619283(v=exchg.160).aspx

     We didn't see any alternative method of doing the IP filtering, do you know if there is a different method of using IP filtering if you don't run Edge Transport servers?

    Kevin

    Friday, April 13, 2018 8:53 PM
  • Hi Kevin, 

    In Exchange 2016, there is not a HUB server role, it has been integrated into the Mailbox server role, therefore we need to manually install the Connection Filtering Agent on the Mailbox servers, just use the method in my last post.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Manu Meng Wednesday, April 18, 2018 2:24 AM
    Tuesday, April 17, 2018 6:24 AM
  • Hi Manu,

     Thanks so much for your help. We have installed the connection filtering agent and enable it. Everything seems to be working good. We will be doing some more testing in the next week.

    Thanks again!

    Kevin

    Thursday, April 19, 2018 12:58 AM
  • Hi Kevin, do you confirm that the connection filtering agent is working on your installation? I've followed the installation steps in my 2016 mailbox server (no Edge), the agent is enabled but I get no logs and no evidence that the filtering is working.

    Thanks

    Gabriele

    Wednesday, July 25, 2018 5:23 PM
  • Gabriele,

     Yes we did confirm it was working. We enabled anti-spam agent logging and checked the "agent" column of the log file to verify that messages were being handled by the "Content Filter Agent".

     We also send some test messages that were blocked as expected.

     I hope this helps.

    Regards, 

    Kevin

    Wednesday, July 25, 2018 6:02 PM
  • Hi Kevin, thanks for writing back to me!

    Unfortunately in my case the connection filter is not working at all. You said that you had the "Content filter Agent" entries inside the logs, but the "Content Filter" is different from the "Connection Filter": content filters are enabled in Mailbox Servers with the Install-AntispamAgents.ps1 (working, supported configuration) and they scan for message contents. The "connection filter", on the other hand, is part of FrontEnd role, has separate logs (default is C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog) and should drop incoming connections matching RBLs. As you said on April 13, installing this agent on mailbox Server is not supported. It's generous of Manu to give the "Install-TransportAgent workaround", but I start to doubt that this solution applies to Exchange 2016. Or you really got connection filtering logs?

    Thanks again and sorry for being skeptical

    Gabriele

    Wednesday, July 25, 2018 10:53 PM
  • Gabriele,

     Sorry I misread your post. We had another post on the forms about content filtering.

    We found the same thing you did in regards to the connection filtering in our testing. It allowed use to add the IP we wanted to block to the "IPBlockListEntry" list, but after testing it did not appear to be working. 

    Regards Kevin

    • Proposed as answer by GabriwareIT Thursday, July 26, 2018 12:17 AM
    Wednesday, July 25, 2018 11:59 PM
  • Thanks again kevin for all information you provided. I'll keep investigating, but my feeling is that the connection filter will not work without Edge role installed, no matter what we try.

    Have a nice day!

    Gabriele

    Thursday, July 26, 2018 12:19 AM
  • Gabriele,

    Please let us know what you find. We tried enabling the logging using the management shell

    Set-TransportService <ServerIdentity> -AgentLogEnabled $true........

    but we had no luck. When we checked the folder we specified there was no log file. Another indication it didn't seem to be working.

    Good luck. If we find anything more we will post back here.

    Regards,

    Kevin

    Thursday, July 26, 2018 12:56 AM
  • The right command is Set-FrontEndTransportService as the agent is installed in the FrontEnd service and not in the mailbox service. But you don't need to enable it, as agent logging is enabled by default.

    Problem is that the connection filter is installed, enabled and even appears in the transport pipeline but it simply doesn't work.

    Let's keep updated

    Gabriele

    Thursday, July 26, 2018 8:54 AM
  • So, what WAS the answer?
    Monday, January 21, 2019 4:12 AM
  • So here is the answer during the times of this pandemic.

    Connection filtering RBL can be installed\enabled with the workaround command on a mailbox server and it does work and so does the agent log. The agent log for rbl only shows entries for blacklisted senders. Just use get-agentlog -transportservice frontend. Note that this is a workaround and not officially supported. Tested on 2016 cu17.

    The Connection filtering IPblocklistEntry and IPallowlistEntry (specific static ip entries) does not work on non edge servers, but who uses those anyways.

    Commands here:

    http://woshub.com/configure-spam-protection-in-exchange-2013-rbl-providers/

     be safe and social distance.







    • Edited by NubSaibot Sunday, July 19, 2020 1:59 PM
    Sunday, July 19, 2020 3:49 AM